Council loses USB stick used to store security codes

Council loses USB stick used to store security codes

ICO told of lost backup drive

Article comments

Leicester City Council has become the latest organisation to tell to the Information Commissioner’s Office (ICO) that it has lost a USB stick containing sensitive personal data.

The drive appears to have contained not only the personal records of 4,000 elderly and vulnerable people in the city but, worse still, the codes to 2,000 small safe boxes on the outside of social housing used to store building keys.

In the light of the immediate security risk, the council is now in the process of changing the codes to counter the possibility that these might fall into the wrong hands.

Exactly what has happened to the drive remains a mystery. The drive reportedly never left the council offices and staff are said to be still hunting for it. Normally used as a backup drive and stored in a safe after use each night, the drive was last seen on Friday 4 March and reported as missing the following Tuesday.

A key issue will be whether the data on the drive was encrypted. A statement by a council spokesperson implied that it had been but this has yet to be confirmed.

"While we have been assured by our supplier the information on the device is not accessible to anyone who may find it, we are taking every precaution to maintain the security of our LeicesterCare user,” the Council said in a statement.

The Council has some history when it comes to USB sticks, having in 2008 lost a USB stick containing data on 80 children attending a nursery.

Further afield, lost USB sticks are now a tiresomely repeating security theme, including last month’s ICO reprimand for Cambridgeshire County Council for losing one containing data on vulnerable adults.

In both the Leicester and Cambridge cases, however, there are notable twists worth paying attention to. In Leicester the drive was only used to backup data before being stored in a safe – this was not dropped carelessly in a car park by a staff member. Superficially, the drive was being fully managed as part of a data policy. Meanwhile, Cambridge’s breach happened after an employee used a non-encrypted drive because the encrypted one suffered an unspecified problem.

Both examples underscore that even with encryption, the small physical size and undemanding nature of USB sticks makes them easy to lose or take for granted. However well secured they appear, complex chains of events can make them physically insecure.

Share:

Comments

  • Jtate Since the data stored on these drives is just for backup and can be accessed again the loss of information is of course not the issue- it is that the information can fall into the wrong hands The only way to have peace of mind is to enforce the use of a flash drive with full-disk encryption with no way around the encryption Physical barriers protecting the encrypted data should also be enforced see
Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *